Results 1 to 5 of 5

Thread: SSL connect problem, most likely untrusted certificate

  1. #1
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    8

    Default SSL connect problem, most likely untrusted certificate

    I am new to Linux and other open source distributions, so please be patient with me.

    I am using external LDAP authentication with Red Hat Directory Server. I can authenticate to RHDS via port 389 with no problems, the test is successful.

    However, I have switched my RHDS system over to SSL using port 636 LDAPS.

    When I use the authetication wizard in Zimbra and choose port 636 and check the checkbox to enable SSL, I get an error at the end of my test.

    Here is what I see:

    Authentication failed:
    SSL connect problem, most likely untrusted certificate

    javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target]; remaining name 'dc=servername,dc=com'
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 65)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1 810)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:17 35)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_sea rch(ComponentDirContext.java:368)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:338)
    at javax.naming.directory.InitialDirContext.search(In itialDirContext.java:257)
    at com.zimbra.cs.account.ldap.LdapUtil.searchDir(Ldap Util.java:1210)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:317)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:146)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:46)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:342)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:208)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:113)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:272)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:174)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
    at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:487)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1093)
    at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
    at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1084)
    at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:360)
    at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:181)
    at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:716)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:406)
    at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:211)
    at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
    at org.mortbay.jetty.handler.RewriteHandler.handle(Re writeHandler.java:176)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
    at org.mortbay.jetty.Server.handle(Server.java:313)
    at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:506)
    at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:844)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:644)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:205)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:381)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:396)
    at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:442)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1591)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:975)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:123)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1096)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:623)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:393)
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:367)
    at com.sun.jndi.ldap.LdapClient.search(LdapClient.jav a:528)
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 48)
    ... 39 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:285)
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validato r.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:954)
    ... 52 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:280)
    ... 58 more


    What do I need to do to fix this?

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    It's along the lines of:
    keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias <alias> -file <certfile>

  3. #3
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    8

    Default

    Thank you for your reply.

    I am 100% sure this will help me, but I am not sure what the alias and certfile should be. Where do I get the cert from? Do I get it from my Red Hat Directory Server or do I generate this or get this my Zimbra server?

    I saw this same command elsewhere, but I think I got confused on what file I should be importing.

    My RHDS server requires 2 server certificates and a ca certificate. All are self signed, but I am not sure it generates an actual file specifically for each certificate.

    Also, if I actually try the cert wizard in zimbra, there is a self signed cert and a comercially signed cert. We pretty much self sign all of our certs. Are we required to get a comercially signed cert?

    I'm just a little confused, but I know this will get resolved if you remain patient with me.

  4. #4
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    8

    Default

    By the way, I am the administrator, so I have no one else to ask here.

  5. #5
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    8

    Default

    This thread can be resolved.

    Here is what I did to fix it and this is what I would expect to see in future forum threads:

    Generate a self signed certificate on the RHDS Server. Import the certificate into Zimbra using the following command:

    sudo /opt/zimbra/java/bin/keytool -import -alias <alias> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file <certfile>

    In the previous versions of Zimbra it required the user to restart Tomcat, but I believe Tomcat has been replaced with mailboxd. So I did the following as Zimbra user:

    zmmailboxdctl stop
    zmmailboxdctl start

    zmcontrol stop
    zmcontrol start

    Just a side note, the certfile that is used to import can be of any file type. I found it easy to just copy the cert file into a text file and import it in.

    It may not be necessary, but I imported in the RHDS Admin Server Cert, the RHDS Directory Server Cert and the CA Cert.

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 09:10 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 06:07 PM
  4. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 10:11 PM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 09:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •